E-voting debate heats up

The battle over electronic voting systems took an unexpected turn this week when election officials in San Bernardino County, Calif., announced plans to defy a state-imposed ban on the systems in the upcoming November presidential election.

In a statement Tuesday, county officials said they plan to use touch-screen voting systems developed by Oakland, Calif.-based Sequoia Voting Systems, a subsidiary of De La Rue PLC. The decision is in direct defiance of an April 30 directive by the California Secretary of State that stripped the systems of their certification in 10 counties, pending security improvements. The directive also banned the use of touch-screen systems from Diebold Election Systems Inc. in four other counties.

The controversy over the use of the systems stems from research and public statements by independent IT security experts who uncovered glaring security vulnerabilities in the hardware and software used in many of the e-voting systems on the market today.

"The California Secretary of State certified this system in its current form prior to the March 2, 2004 election, and absolutely nothing has occurred since that certification to call the system's performance or reliability into question," the San Bernardino County Board of Supervisors said in the statement. "Discontinuing or limiting the use of this system, or imposing unnecessary constraints on the system, will accomplish nothing other than needlessly shaking the public's confidence."

The statement goes on to say that the county reserves the right to join Riverside County officials in a lawsuit filed in federal court against the state on May 6 seeking to overturn the ban. "(Secretary of State Kevin) Shelley's ban on electronic voting systems is based on conjecture, supposition and what-ifs," said Roy Wilson, chairman of the Riverside County Board of Supervisors.

However, two prominent security experts remain steadfast in their concerns about the security of e-voting systems, also known as direct recording electronic (DRE) systems. And both said the decision by county officials in California is misguided, at best.

"If Sequoia had chosen to rig the outcome of the election in March, nobody could have known it," said Avi Rubin, a professor at the Johns Hopkins University Information Security Institute who has been at the center of the fight about e-voting systems since publication of a research paper last year that outlined major gaps in the security of the millions of lines of software code that powers each system.

"Just because voters like the way the machines look and feel does not mean that these nice-looking machines will produce the right result at the end of the election," said Rubin. "Qualified experts should decide what is secure and what is not."

Jeremy Epstein, senior director for product security at Fairfax, Va.-based WebMethods Inc., agreed with Rubin's assessment of electronic voting systems -- and said Rubin isn't alone in his concerns. Epstein is one of thousands of private-sector executives who have signed an online petition, located at www.verifiedvoting.org, calling for vendors to provide Voter Verified Paper Audit Trails (VVPAT) for their systems.

"The bottom line is that no DRE system without a VVPAT is ever going to be reliable," said Epstein. "Humans still don't know how to build completely reliable or secure systems, nor do we have any effective way of ensuring that there are no back doors installed in the software, which has been proven many times."

In fact, Epstein conducted a study of Advanced Voting Solutions Inc.'s WinVote system, which was used last year by Fairfax County in Virginia. According to Epstein, a failure in the WinVote system last November left the results of a county election questionable. As a result, a Republican candidate lost by a margin of 1 percent in an election where approximately 2 percent of the votes may have been recorded incorrectly, he said.

So far, only Sequoia Voting Systems has announced plans to offer a VVPAT upgrade for its touch-screen systems.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.